{
// get host from aHostURInsCAutoString hostFromURI;
if (NS_FAILED(aHostURI->GetAsciiHost(hostFromURI))) {
returnPR_FALSE;
}
// trim trailing dots
hostFromURI.Trim(".");
ToLowerCase(hostFromURI);
// if a domain is given, check the host has permissionif (!aCookieAttributes.host.IsEmpty()) {
aCookieAttributes.host.Trim(".");
// switch to lowercase now, to avoid case-insensitive compares everywhereToLowerCase(aCookieAttributes.host);
// check whether the host is an IP address, and override isDomain to// make the cookie a non-domain one. this will require an exact host// match for the cookie, so we eliminate any chance of IP address// funkiness (e.g. the alias 127.1 domain-matching 99.54.127.1).// bug 105917 originally noted the requirement to deal with IP addresses.if (IsIPAddress(aCookieAttributes.host)) {
returnIsInDomain(aCookieAttributes.host, hostFromURI, PR_FALSE);
}
/* * verify that this host has the authority to set for this domain. We do * this by making sure that the host is in the domain. We also require * that a domain have at least one embedded period to prevent domains of the form * ".com" and ".edu" */PRInt32 dot = aCookieAttributes.host.FindChar('.');
if (dot == kNotFound) {
// fail dot testreturnPR_FALSE;
}
// prepend a dot, and check if the host is in the domain
aCookieAttributes.host.Insert(NS_LITERAL_CSTRING("."), 0);
if (!IsInDomain(aCookieAttributes.host, hostFromURI)) {
returnPR_FALSE;
}
/* * note: RFC2109 section 4.3.2 requires that we check the following: * that the portion of host not in domain does not contain a dot. * this prevents hosts of the form x.y.co.nz from setting cookies in the * entire .co.nz domain. however, it's only a only a partial solution and * it breaks sites (IE doesn't enforce it), so we don't perform this check. */// no domain specified, use hostFromURI
} else {
// block any URIs without a host that aren't file:/// URIsif (hostFromURI.IsEmpty()) {
PRBool isFileURI = PR_FALSE;
aHostURI->SchemeIs("file", &isFileURI);
if (!isFileURI)
returnPR_FALSE;
}
aCookieAttributes.host = hostFromURI;
}
returnPR_TRUE;
}